Deep-Dive: The Lazarus Group

“The North Korean-based Lazarus Group is a state-sponsored hacking organization responsible for some of the costliest computer intrusions in history, including the cyber attack on Sony Pictures Entertainment, a series of attacks targeting banks across the world that collectively attempted to steal more than one billion dollars, and the WannaCry ransomware attack that affected tens of thousands of computer systems across the globe. ” - Federal Bureau of Investigation, US Department of Justice.

Although it may seem unusual to those outside of the security industry, North Korea presents one of the greatest cyber threats on the global stage, to the financial sector, to critical infrastructure, to multinational conglomerates, and it will employ cyber-espionage and cyber-warfare against the regime's opposition. The main way security researchers and vendors track North Korean activity is through attributing attacks to the Lazarus advanced persistent threat (APT). However, this group also has several other names from various vendors presenting their differing visibilities of Lazarus’ attacks.

Lazarus is also often referred to as HIDDEN COBRA by the US Government generally, which directly refers to any malicious cyber activity which is attributed to North Korea. But since Lazarus has been around for a few decades now, this APT is also known as ZINC to Microsoft, or even Bureau 121, the North Korean cyber warfare division, to some.

Before North Korea began achieving serious sums of money via elaborate bank heists and cryptocurrency exchange ransacking, they began earning it through other traditional nefarious methods such as counterfeiting and drug trafficking. The US Secret Service even declared that vast amounts of counterfeit ‘super notes’ were originally manufactured in North Korea. Eventually the DPRK realised there were vast amounts of funds to be made via cyber attacks which could assist them in funding their weapons of mass destruction (WMD) program.

Due to its proximity, South Korea is still largely on the receiving end of North Korean cyber attacks that persist to this day. As we speak there will be thousands of spear phishing emails sent to South Korean enterprises, government officials and politicians, and military personnel which if successful enable North Korea’s intelligence gathering forces to collect their desired information. In 2013, a group tracked as WhoIs - what we now call Lazarus - was responsible for a ‘logic bomb’ which wiped the hard drives of at least three banks and two media companies simultaneously. This put ATMs across the country out of action and prevented the news from spreading about it. Three South Korean cryptocurrency exchanges, Coinis, Bithumb, Youbit, were drained of millions of USD worth of virtual currency in various Lazarus-related cyber attacks. This time, however, the KISA was also able to prevent 10 other exchanges from being victimised from malware contained in malicious emails. Lazarus was responsible for a military intelligence gathering attack on the South Korean defense minister’s personal computer as well as the South Korean MoD’s intranet. In this case the North Korean hackers used IP addresses in Shenyang, China to access the defense ministry’s server. This is a trend which most Lazarus attacks follow due to the IP range in North Korea being much more limited than the rest of the world’s nation states. Therefore, the DPRK has sent hundreds, if not thousands, of its cyber army over the border to China to attack from there. This has been affirmed by North Korea defectors in several interviews.
One of the first major international news grabbing cyber attacks Lazarus executed was in 2014, against the Sony Pictures Entertainment company. At the time, Seth Rogan and James Franco were due to release their film, The Interview, which was about a fictional CIA plot to assassinate the leader of North Korea, Kim Jong-un. Many speculated that the attack against Sony was linked to North Korea’s resentment over the film before the rest of the news made its way out. It is now widely believed that Lazarus, going by the name Guardians of Peace, had penetrated deep into Sony Pictures Entertainment and managed to steal upto 100TB of data and then launched the NukeSPED RAT. This piece of malware was designed with the sole intention of striking the company as the name is generally thought to literally mean Nuke (destroy) Sony Pictures Entertainment’s Data (SPED). Interestingly, NukeSPED RAT utilised a function in the Eldos RawDisk Driver which when detonated would overwrite all data on the Master Boot Record (MBR) leaving machines unable to locate the operating system on the disk, rendering them useless. Some of the data stolen in the attack was a devastating blow for Sony. It included personal information of the upper management, as well as their email conversations. There was also the passport information of Hollywood stars, medical information, employ terminations, criminal background checks, full copies of unreleased films, and entire scripts for unannounced ones. 

The Eldos RawDisk driver is a kernel-mode driver which is used to irreversibly delete data from hard drives. This can also be weaponized, and has been, to render computers useless, deleting all data and the operating systems from the hard drive. In 2012, a threat group going by the name Cutting Sword of Justice used the same Eldos RawDisk driver in a malware now known as ‘Shamoon’ to wipe 30,000 computers at Saudi Aramco, the Saudi Arabian national petroleum and natural gas company. The two incidents are not thought to be linked.

Lazarus then graduated to world class cybercriminals through one of the largest financial cyber attacks to go down in history. The billion dollar bank heist took part in 2016 where our North Korean protagonists tried to steal $1 billion from the Bank of Bangladesh. By infiltrating the Bank’s central network, likely via phishing, they managed to reach the SWIFT computer used to access the SWIFT network. The Society for Worldwide Interbank Financial Telecommunication (SWIFT) network is the international money transfer system that all banks use to move billions of fiat money daily, between themselves. What Lazarus group the proceeded to do is line up dozens of transactions to transfer $1 billion from the Bank of Bangladesh into several separate accounts on 4 February 2016. These accounts had all been opened a year earlier in May 2015. The requests were made using credentials from the Bank of Bangladesh SWIFT computer to the New York Federal Reserve to move the money into dozens of bank accounts in the Philippines, Sri Lanka, and other parts of Asia. $81 million then made its way into these accounts. However, due to a typo, the SWIFT operators at the New York Federal Reserve blocked the rest of the transfers. Costing the DPRK around $800 million. Someone in the Lazarus group apparently had indicated that at least one of the transfers should go to the ‘Shalika Foundation’, but they misspelled “foundation” as “fandation". So although they had not made off with the full original amount they were able to steal $81 million. Most of this money was lost forever, never to be returned. The North Koreans were able to wash the money in the Solaire casino in the Philippines which, at the time, had no anti-money laundering laws. Interestingly, allegedly Baccarat is the game of choice for the money launderers, as it is said to typically produce high percentage returns if you play the game long enough. 

But so far Lazarus’ world-paralyzing moment was yet to come in the form of Wanna Cryptor v2 - also more commonly known as the WannaCry ransomware. WannaCry was able to spread, so widely as it did, due to a previously unknown 0day vulnerability that present in many legacy Windows systems across the world. This 0day vulnerability, and the exploit developed for it, was secretly kept from the rest of the world by the US National Security Agency (NSA). It was later dubbed ‘EternalBlue’ and could be used to penetrate Windows system via the Server Message Block (SMB). EternalBlue is a family of critical vulnerabilities in Microsoft SMBv1 server used in Windows 7, Windows Server 2008, Windows XP, and even Windows 10 running on port 445 as well as many other devices which Microsoft SMBv1. This family of critical vulnerabilities was exploited by a hacking tool, developed by the NSA, called the DoublePulsar backdoor. Therefore, with this knowledge and this tool, the NSA were able to make their way into vulnerable affected systems. Then, seemingly out of nowhere, a mysterious group going by the name ‘The Shadow Brokers’ leaked the NSA’s 0day vulnerability and its DoublePulsar backdoor as well as several other NSA hacking tools, publicly to the rest of the world. This was a shock to security teams and IT departments globally which had to quickly implement mitigations and workarounds whilst Microsoft worked on releasing a patch. This happened to be two months before WannaCry then struck. Some organisations which failed to implement such patches, like the UK’s NHS which eventually succumbed to the opportunistic Lazarus Group which tried to extort millions of pounds worth of Bitcoin out of the health system, although it allegedly declined to pay off any ransom demands. WannaCry itself, appends encrypted data files with the .WCRY extension, then runs a decryptor program that demands $300 or $600 USD (via Bitcoin) to decrypt the data. The malware uses encrypted TOR channels for its command and control (C2) communications. The ransomware worm was said to have hit over 300,000 computers across 150 nations, causing several billions of dollars in damages. In the UK alone, WannaCry cost UK taxpayers £92 million ($120.7 million).

On September 6, the US Department of Justice formally charged a North Korean programmer, Park Jin Hyok, for some of the biggest cyber-attacks in recent years. Investigators say that Park worked for Chosun Expo, a front company which the North used to get Park into China, the city of Dalian to be more precise. The DoJ found Park’s resume and noticed it listed the ability to code in Java, JSP, PHP, Flash, but also Visual C++, the language in which most Lazarus Group malware was written in, such as WannaCry and DTRACK. More information can be found in the 179-page DOJ indictment.

In 2019, Lazarus also made international news after India’s Kudankulam Nuclear Power Plant (KKNPP) suffered a cyber attack. Security researchers found a sample of DTRACK malware which contained suspicious details believed to relate to private addresses and system information that looked very much like they belonged to the KKNPP. DTRACK is a RAT (remote access tool) which is used to collect information and move laterally inside a network. Upon inspection, researchers found the code is similar to ATMDTRACK malware that was created to steal credit card information from hundreds of ATMs across India. It has since been alleged that there was also an attack on the Indian Space Research Organisation (ISRO) during its failed Chandrayaan-2 Lunar Lander mission. North Korean APT Lazarus has been blamed. Some security researchers also noted that DTRACK does have MBR wiping capabilities which, some speculate, may have been used on KKNPP and ISRO.

North Korea continues to utilise Lazarus (a/k/a Lab 110 or Unit 180 or Bureau 121) for devastating cyber attacks against any target deemed worthy. Lazarus is certainly a financially motivated APT which generates funds for the regime's developing WMD program - at the peril of global condemnation. North Korea is currently under some of the harshest international sanctions in the world, with China being its single trading partner. Therefore, the regime has created Lazarus as a tool to earn additional funds for financing expensive nuclear weapons development. Cyber attacks appear to be an ideal way for the regime to generate funds and can still sow doubt into the minds of many because some still believe North Korea is not capable of such attacks. It is more than likely Lazarus is plotting or in the midst of another attack campaign, as what North Korea does have is time.

References & Additional reading:

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks